a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a

General

Target

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
Size

554KB
MD5

b2deb3fa1acb774a1e5b17013d474d71
SHA1

e32774f940c4e8bdb19e0d33689bf4f56ab90895
SHA256

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a
SHA512

913fc4b339ac0af4c89c3ad2b0af2ef29f245e91befff960bd3b78da9071c8c8457ef1ace01d91e0c2f58bacbd87b7b2f0734c86cd27156ecd837bce035aec8b

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewylinls = "\"C:\\Windows\\ynoxidux.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exea898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe

description	pid	process	target process
PID 2044 set thread context of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 1648 set thread context of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ynoxidux.exe explorer.exe
File created C:\Windows\ynoxidux.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

780 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\ynoxidux.exe	explorer.exe
File created	C:\Windows\ynoxidux.exe	explorer.exe

pid	process
780	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe

pid process

2044 a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 912 vssvc.exe
Token: SeRestorePrivilege 912 vssvc.exe
Token: SeAuditPrivilege 912 vssvc.exe

pid	process
2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe

description	pid	process
Token: SeBackupPrivilege	912	vssvc.exe
Token: SeRestorePrivilege	912	vssvc.exe
Token: SeAuditPrivilege	912	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exea898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exeexplorer.exe

description	pid	process	target process
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 2044 wrote to memory of 1648	2044	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
PID 1648 wrote to memory of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe
PID 1648 wrote to memory of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe
PID 1648 wrote to memory of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe
PID 1648 wrote to memory of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe
PID 1648 wrote to memory of 1808	1648	a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe	explorer.exe
PID 1808 wrote to memory of 780	1808	explorer.exe	vssadmin.exe
PID 1808 wrote to memory of 780	1808	explorer.exe	vssadmin.exe
PID 1808 wrote to memory of 780	1808	explorer.exe	vssadmin.exe
PID 1808 wrote to memory of 780	1808	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
"C:\Users\Admin\AppData\Local\Temp\a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe
"C:\Users\Admin\AppData\Local\Temp\a898a3c616fab1e3c8f05eacf9ba459af21aefb63937cfc10778e77aaa375b3a.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000
Filesize
554KB

MD5
8f0e0b57e90263fc57cf2bc4616229cf

SHA1
0ff97a77448db7b79ab1c44bc23e57c7ca688b48

SHA256
a8f1fc3259ece4871f81a70f1a54bd286ed573779437a215f93fd78dfd7f7db3

SHA512
f21d4c12ac05f489eb30dfe05f60b86c11ab573bcc754eac0ceb6adddca7d5f1ef3da1d9410764b396cde1aaa3e9d4f9d7068d692e8b63ee1101c0635da660c7

Download Submit
memory/780-79-0x0000000000000000-mapping.dmp

Download
memory/1648-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-65-0x000000000040A61E-mapping.dmp

Download
memory/1648-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-73-0x000000000009A160-mapping.dmp

Download
memory/1808-75-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/1808-71-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1808-69-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1808-78-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1808-80-0x00000000729C1000-0x00000000729C3000-memory.dmp

Filesize
8KB

Download
memory/2044-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads